Clik here to view.
CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits
Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability.Silverlight up to 5.1.30514.0 are affected, but note : most browser will warn that the plugin is outdatedOut of...
View ArticleClik here to view.
CVE-2014-2419 (Internet Explorer) and Exploits Kits
As published by FireEye Angler EK is now exploiting CVE-2014-2419 fixed with MS15-065Angler EK :2015-08-10It seems they might have started to work on that exploit as early as 2015-07-24 where some...
View ArticleClik here to view.
CVE-2015-5560 (Flash up to 18.0.0.209) and Exploit Kits
Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK.Angler EK :2015-08-29[Edit : 2015-09-01] Exploit candidated by Kasperky as CVE-2015-5560 [/edit]The exploit has...
View ArticleClik here to view.
Shifu
I noticed since several days a shift in malware distribution in the UK.Many infection path that I follow are now dropping a banker that i already saw many times, especially at the end of 2014 and...
View ArticleClik here to view.
A DoubleClick https open redirect used in some malvertising chain
In the post on the UK focused Shifu I illustrated malvertising traffic to Angler.The traffer group behind this activity is the same exposed by BelchSpeak from Invincea in many tweets (explaining the...
View ArticleClik here to view.
CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits
The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29)...
View ArticleClik here to view.
Inside Jahoo (Otlard.A ?) - A spam Botnet
Trash and Mailbox by Bethesda SoftworksOtlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response ) is a Spam BotnetI saw it loaded as a...
View ArticleClik here to view.
Nuclear Pack loads a fileless CVE-2014-4113 Exploit
Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.But...
View ArticleClik here to view.
CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits
One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446Angler EK :2015-12-14CVE identification by Anton Ivanov ( Kaspersky ) and FireEye (Thanks !)Angler EK exploiting...
View ArticleClik here to view.
XXX is Angler EK
Snipshot of MonterAV AffiliateAs I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here.XXX is Angler EK ( it's the real name of its...
View ArticleClik here to view.
CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits
While other exploit kit are struggling to keep up with Angler (none is firing CVE-2015-8446 , maybe because of the Diffie-Hellman protection on Angler's exploits ),- Nuclear / Magnitude and Neutrino...
View ArticleClik here to view.
Cryptowall son of Borracho (Flimrans) ?
Lately I received multiple questions about connection between Reveton and Cryptowall.I decided to have a look.A search in ET Intelligence portal at domains from Yonathan's Cryptowall TrackerET...
View ArticleClik here to view.
CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits
Fixed with the January 2016 Microsoft patches, CVE-2016-0034 ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s...
View ArticleClik here to view.
CVE-2016-1010 (??? - Flash up to 20.0.0.306) and Exploit Kits
NB : the CVE id is not confirmed yet.This one is used with the same "power".I'll fix/replace if it appears to be the wrong id.Two weeks after Flash patch, two months after last Flash exploit...
View ArticleClik here to view.
CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits
Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing this vulnerability with the patch released on the 2016-04-07...
View ArticleClik here to view.
Bedep has raised its game vs Bot Zombies
Simulacra & Simulation - Jean BaudrillardFeatured in MatrixBedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and...
View ArticleClik here to view.
U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit
Fallout Vault Boy maskThe goal of the post is to open-source data on a kit that has been seen live impersonating bank portal. This is mostly Raw data, few part only will be "google translated".On...
View ArticleClik here to view.
CVE-2016-4117 (Flash up to 21.0.0.213) and Exploit Kits
Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits.Magnitude :CVE confirmed by FireEye -...
View ArticleClik here to view.
Is it the End of Angler ?
Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th, Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January...
View ArticleClik here to view.
CVE-2016-0189 (Internet Explorer) and Exploit Kit
Spotted by Symantec in the wild patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.Neutrino Exploit Kit :Here 2016-07-13 but i am being told that i am late to the...
View ArticleClik here to view.
Fox stealer: another Pony Fork
Gift for SweetTail-Fox-mlp by Mad-N-MonstrousSmall data drop about another Pony fork : Fox stealer.First sample of this malware I saw was at beginning of September 2016 thanks to Malc0de. After...
View ArticleClik here to view.
RIG evolves, Neutrino waves goodbye, Empire Pack appears
Around the middle of August many infection chains transitioned to RIG with more geo-focused bankers and less CryptXXX (CryptMic) Ransomware.Picture 1: Select Drive-by landscape - Middle of August...
View ArticleClik here to view.
CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits
CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed in...
View ArticleClik here to view.
Bye Empire, Hello Nebula Exploit Kit.
Nebula LogoWhile Empire (RIG-E) disappeared at the end of December after 4 months of activityIllustration of the last month of witnessed Activity for Empireon 2017-02-17 an advert for a new exploit...
View ArticleClik here to view.
CoalaBot : http Ddos Bot
CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds...
View Article